On 01/06/15 12:52, Alfred E. Heggestad wrote:
> Hey Matt,
>
>
> openssl version 1.0.2a on both sides (Client and Server)
>
>
>> Are you also running OpenSSL on the server side (and if so which version
>> there)?
>>
>> The error message suggests that the NewSessionTicket message that has
>> been received by the client is incorrectly formatted.
>>
>> A packet capture for a problem handshake might help diagnose the problem
>> further.
>>
>
> please see the attached PCAP file, in this case Packet #4 is dropped
> internally
> in the software (to simulate Packet-loss).
>
>
>
> that test-code has the following option set, to avoid fragmentation:
>
> SSL_set_options(tc->ssl, SSL_OP_NO_QUERY_MTU);
> DTLS_set_link_mtu(tc->ssl, 1480);
>
>
> please note that dropping Packet #1, #2 and #3 works as expected.
> but dropping the final packet (packet #4) does not work.
Thanks - I've figured it out. This is a manifestation of a known issue
with retransmits in 1.0.2a. It will be fixed in 1.0.2b. I have attached
a patch for 1.0.2a which should solve your problems for now.
The relevant 1.0.2 commits that fix this are here:
https://github.com/openssl/openssl/commit/a20718fa2c0a45e6acb975cf6c0438c3ebd45b13
and here:
https://github.com/openssl/openssl/commit/4285b851637a3da8bd6e96848f0deffb6be5e626
Matt
From fdfd7684dcc6a6751771e43c6e8fdb298df64f82 Mon Sep 17 00:00:00 2001
From: Matt Caswell <m...@openssl.org>
Date: Thu, 5 Feb 2015 13:54:37 +0000
Subject: [PATCH 1/2] Ensure last_write_sequence is saved in DTLS1.2
In DTLS, immediately prior to epoch change, the write_sequence is supposed
to be stored in s->d1->last_write_sequence. The write_sequence is then reset
back to 00000000. In the event of retransmits of records from the previous
epoch, the last_write_sequence is restored. This commit fixes a bug in
DTLS1.2 where the write_sequence was being reset before last_write_sequence
was saved, and therefore retransmits are sent with incorrect sequence
numbers.
Reviewed-by: Richard Levitte <levi...@openssl.org>
(cherry picked from commit d5d0a1cb1347d4a8547e78aec56c50c528186e50)
---
ssl/t1_enc.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 577885f..6869909 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -404,9 +404,9 @@ int tls1_change_cipher_state(SSL *s, int which)
}
#endif
/*
- * this is done by dtls1_reset_seq_numbers for DTLS1_VERSION
+ * this is done by dtls1_reset_seq_numbers for DTLS
*/
- if (s->version != DTLS1_VERSION)
+ if (!SSL_IS_DTLS(s))
memset(&(s->s3->read_sequence[0]), 0, 8);
mac_secret = &(s->s3->read_mac_secret[0]);
mac_secret_size = &(s->s3->read_mac_secret_size);
@@ -442,9 +442,9 @@ int tls1_change_cipher_state(SSL *s, int which)
}
#endif
/*
- * this is done by dtls1_reset_seq_numbers for DTLS1_VERSION
+ * this is done by dtls1_reset_seq_numbers for DTLS
*/
- if (s->version != DTLS1_VERSION)
+ if (!SSL_IS_DTLS(s))
memset(&(s->s3->write_sequence[0]), 0, 8);
mac_secret = &(s->s3->write_mac_secret[0]);
mac_secret_size = &(s->s3->write_mac_secret_size);
--
2.1.4
From 5fa54fc7d1edcb8d3febed3f8b141026e8e5819a Mon Sep 17 00:00:00 2001
From: Matt Caswell <m...@openssl.org>
Date: Thu, 5 Feb 2015 13:59:16 +0000
Subject: [PATCH 2/2] Add ticket length before buffering DTLS message
In ssl3_send_new_session_ticket the message to be sent is constructed. We
skip adding the length of the session ticket initially, then call
ssl_set_handshake_header, and finally go back and add in the length of the
ticket. Unfortunately, in DTLS, ssl_set_handshake_header also has the side
effect of buffering the message for subsequent retransmission if required.
By adding the ticket length after the call to ssl_set_handshake_header the
message that is buffered is incomplete, causing an invalid message to be
sent on retransmission.
Reviewed-by: Richard Levitte <levi...@openssl.org>
(cherry picked from commit 4f9fab6bd0253416eeace5a45142c7c4a83bc511)
Conflicts:
ssl/s3_srvr.c
---
ssl/s3_srvr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index c016139..f7ffa06 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -3391,10 +3391,10 @@ int ssl3_send_newsession_ticket(SSL *s)
/* Now write out lengths: p points to end of data written */
/* Total length */
len = p - ssl_handshake_start(s);
- ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len);
/* Skip ticket lifetime hint */
p = ssl_handshake_start(s) + 4;
s2n(len - 6, p);
+ ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len);
s->state = SSL3_ST_SW_SESSION_TICKET_B;
OPENSSL_free(senc);
}
--
2.1.4
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
